This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rolandk
Explorer
‎2024-01-31 04:22 AM

DNS Resolution in Checkpoint SSL Network Externder

Hello,

we have several macos clients who need to connect to customer site via ssl vpn.

when they use our viscosity/openvpn vpn and then connect to customer vpn with snx (i.e. use connect button for native applicatins in web portal), they can access internal ressources in our company network, as viscosity/openvpn is setting up split dns, so dns query to @ourdomain.com is handled by our internal dns server.

when their macbook is located in the company internal network, they cannot resolve anything from internal @ourdomain.com dns names anymore after connecting to customer ssl vpn  , as ssl vpn is overwriting internal dns servers and that seems to be active globally then.

how can this be resolved ?

how can dns be resolved selectively, i.e. by target domain ?

regards
roland

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2024-02-01 06:10 PM

You may need a hotfix for this.
See: https://support.checkpoint.com/results/sk/sk115279

0 Kudos
rolandk
Explorer
‎2024-02-02 02:07 AM
In response to PhoneBoy

>  When connect to SNX from Mac OS X, name resolution fails because it does not use the Office Mode IP address for DNS Server. Instead, it uses the DNS setting from Mac OS X.

> Traffic capture on Mac OS X shows that DNS traffic leaves the physical interface instead of SNX (utun0).

> The issue only happens in DHCP environment, in which the Mac OS X machine obtains the IP address and DNS configuration from the DHCP Server.


that does not apply for us, as snx changes the dns server to the customers dns server and so local name resulution in the office won't work anymore.

we need per-domain resolution with split dns like in viscosity. 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-08 03:22 PM
In response to rolandk

Like I said, you may need a hotfix for this, which is mentioned in the SK I linked to.
If your customer supports it, you can also use Endpoint Security VPN client to connect on macOS, which works correctly in this scenario.

0 Kudos
the_rock
Legend
Legend
‎2024-02-01 06:22 PM

What do you have configured as dns suffix in remote access gateway settings (if any)?

Andy

0 Kudos
rolandk
Explorer
‎2024-02-02 06:03 AM
In response to the_rock

we do not have access to access gateway settings, as it is owned by customer

0 Kudos
the_rock
Legend
Legend
‎2024-02-02 06:06 AM
In response to rolandk

This is what Im referring to

Andy

 

Screenshot_1.png

0 Kudos
JH_Ranger
Participant
‎2024-03-03 05:29 PM

I am not sure about MacOS, but in Windows, you can assign each interface a priority. The DNS server for the interface with the highest priority is used for all lookups. When you connect to SNX, it promotes the metric of that adapter (routing your DNS requests through the new CheckPoint Virtual Network adapter) to 1, but keeps the other connections at a higher value (e.g. 25, but you can check that by listing the routing table on the host).

If you want to use the DNS server on the LAN whilst connected to SNX, you could either promote that interface by giving it a lower metric, or you could manually configure the SNX Virtual Network Adapter to use your DNS server.

If you want to resolve your DNS selectively (based on target domain), you could use a DNS intercept tool, which intercepts DNS queries at the system level, and directs them to the appropriate DNS servers based on a set of predefined rules. I think on MAC, you may even be able to use DNSMASQ.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events